Multi site to site VPN Mesh

  • Hello all,

    I am trying to setup a Mesh site to site. Right now I have a hub and spoke configuration. My data center is central to all sites and this is where the sites access all services including internet. The site to site between data center and site is working fine. So site A, site B, and site C connect to site D (data center) just fine and can traverse other sites through the data center. When site A needs a file from site B it goes through the data center to site B, gets the file and goes back through data center back to site A. Geographically this takes a 6,000 mile round trip. I would like to configure site to sites between the remote sites as well so that when site A wants a file from site B or C, it can go direct which would cut round trip by 5,900 miles. When they are accessing large files this trip takes longer than it should. Each site has a fast broadband connection. Any ideas on best practices and whether this is possible for a single WAN. I think it should be possible but when I try it on the PFSense boxes the VPN does not seem to log anything for the site to sites. I am running Netgate C2758 firewalls with firmware 2.1.5. I would move to firmware 2.2, but there are too many bugs in it right now.

    Thanks, any help is appreciated.


  • Yes, should be no problem. You need to decide which sites will have OpenVPN servers and which will have OpenVPN clients. The servers need to be at sites that have a public IP address that "works" for remote access (i.e. if you have small offices stuck behind Carrier Grade NAT (CGN) then they cannot host a server).

    If there are only a few sites (6 or so) then it might be easy to just use site-to-site with pre-shared key and make 1 server for every client.

    In Local Network/s and Remote Network/s boxes put just the office lAN that is at each end of the relevant link.

    The existing links to the data centre will currently have a longer list of subnets in the Remote Network/s box at the client end and/or LOcal Network/s list at the datacentre server end. Cut down those lists so they just mention the datacentre LAN network.

    Then the routing should automagically go directly in 1 hop across the relevant OpenVPN link to the office concerned.

  • I figured it was something like this. I have over 60 sites, but have narrowed it down to geographical areas. I plan on implementing this in three sites first and then breaking the rest up. Most data will still be going to our data canter, so removing the remote LAN is not an option at the data center. I think I can just setup routes or administrative distances.

    Thanks for your reply,


Log in to reply